1 / 90

IT Security and Privacy

IT Security and Privacy. Fyfy Effendy Ross Hardy Amy Kirchner Amanda MacDonell Carrie Weinkein. Agenda. Overview Security Breaches Fraud and Identity Theft Chief Security Officer Phishing Emerging Technologies Best Practices. IT Security Defined.

sanne
Download Presentation

IT Security and Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT Security and Privacy Fyfy Effendy Ross Hardy Amy Kirchner Amanda MacDonell Carrie Weinkein

  2. Agenda • Overview • Security Breaches • Fraud and Identity Theft • Chief Security Officer • Phishing • Emerging Technologies • Best Practices

  3. IT Security Defined Information security is the process of protecting information systems and data from unauthorized access, use, disclosure, destruction, modification, or disruption. Information security is concerned with the confidentiality, integrity, and availability of data regardless of the form the data may take: electronic, print, or other forms. http://en.wikipedia.org/wiki/It_security, viewed April 2nd, 2007

  4. Who cares about IT Security and Privacy?

  5. Management Does! Security and privacy rose from 19th in 1990 to 2nd in 2005 as a top management concern. Luftman, J., Kempaiah, R., and Nash, E., Key Issues for IT Executives 2005, MIS Quarterly Executive, Vol. 5, No. 2, June 2006, pp 81-99

  6. CIA Triangle • Three core concepts form the core principles of information security. • Confidentiality: • Information of confidential nature. • Integrity: • Data cannot be changed, deleted, or altered without authorization. • Availability: • All information and computer systems used in the protection of information are available and functioning properly. Fumy W. and Sauerbrey, J., Enterprise Security IT Security Solutions: Concepts, Practice Experiences, Technologies. Publicis Corporate Publishing. 2006.

  7. Percentage of IT budget spent on IT security Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2006. PP 1-25.

  8. Security Breaches

  9. Common Types of Potential IT Security Breaches • There are many types of potential IT security threats: • Viruses • Theft • Fraud • Spam • Worms • Phishing/Spoofing • Sabotage • Social Networking Garg, Ashisha, Jeffrey Curtis, and Hilary Halper. “The Financial Impact of IT Security Breaches: What Do Investors Think?”. Security Management Practices. March/April 2003. PP 1-9.

  10. Types of Attacks or Misuse Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2006. PP 1-25.

  11. Trends in Information Security Breaches “Special Report: The Shift in Data Security- Stop the Insider Threat”. CSO FOCUS. October 2005. PP 2-8

  12. Trends in Information Security Breaches http://www.aarp.org/research/frauds-scams/fraud/dd142_security_breach.html, viewed April 06, 2007

  13. Trends in Information Security Breaches http://www.aarp.org/research/frauds-scams/fraud/dd142_security_breach.html, viewed April 06, 2007

  14. Frequency of Cyber Security Breaches Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2006. PP 1-25.

  15. Why should general managers care about IT security breaches?

  16. Cost of Cyber Security Breach • Tangible • Lost business • Lost productivity of non IT staffs • Labor and material costs associated with the IT staff’s detection, containment, repair and reconstitution of the breached resources • Legal costs associated with the collection of forensic evidence and the prosecution of an attacker • Public relations consulting costs, to prepare statements for the press, and answer customer questions • Increases in insurance premiums What Does a Computer Breach Really Cost? Anita D. D’Amico, Ph.D. Secure Decisions, a Division of Applied Visions, Inc., September 7, 2000

  17. Cost of Cyber Security Breach • Intangible • Customers’ loss of trust in the organization • Failure to win new accounts due to bad press associated with the breach • Competitor’s access to confidential or proprietary information What Does a Computer Breach Really Cost? Anita D. D’Amico, Ph.D. Secure Decisions, a Division of Applied Visions, Inc., September 7, 2000

  18. Amount Lost from Security Breach by Type Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2006. PP 1-25.

  19. Outsourcing Computer Security Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2006. PP 1-25.

  20. Outsourcing Computer Security • Most of the respondents did not outsource the IT security • IT security is one of the core capabilities and therefore should be kept in house. Source: Lacity, M., “Twenty Customer and Supplier Lessons on IT Sourcing,” Cutter Consortium, Vol. 5, 12, 2004, pp.1-27

  21. Most Critical Issues for the Next 2 years Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2006. PP 1-25.

  22. Fraud and Identity Theft “Fraud and Identity Theft Complaints Received by the Federal Trade Commission from Consumers Age 50 and Over”. Federal Trade Commission. May 12 2006. PP 2-32.

  23. Fraud and Identity Theft “Fraud and Identity Theft Complaints Received by the Federal Trade Commission from Consumers Age 50 and Over”. Federal Trade Commission. May 12 2006. PP 2-32.

  24. Fraud and Identity Theft “Fraud and Identity Theft Complaints Received by the Federal Trade Commission from Consumers Age 50 and Over”. Federal Trade Commission. May 12 2006. PP 2-32.

  25. Fraud and Identity Theft “Fraud and Identity Theft Complaints Received by the Federal Trade Commission from Consumers Age 50 and Over”. Federal Trade Commission. May 12 2006. PP 2-32.

  26. Chief Security Officer

  27. Role of the CSO • Good communicator • Able to promote IT security projects as business projects • Knowledgeable in a wide array of areas including IT, business, legal and policy McAdams, A., “Security and Risk Management – A Fundamental Business Issue” Information Management Journal, Vol 38, Issue 4, July/August 2004, pg 36

  28. Functions of the CSO • Provide leadership • Establish an integrated information systems framework • Create and implement security policies and procedures • Set and monitor metrics • Allocate funding to IT projects • Create training programs for employees • Create support system for these programs McAdams, A., “Security and Risk Management – A Fundamental Business Issue” Information Management Journal, Vol 38, Issue 4, July/August 2004, pg 36

  29. Background of a CSO • Come from a predominantly IS background • Other common backgrounds include: • Corporate Security (35%) • Military (32%) • Law Enforcement (21%) • Business Operations (19%) • Audit (18%) Petersen, Rodney, “The Role of the CSO” Educause Review September/October 2006 Pages 73-82

  30. Importance of the CSO The Global State of Information Security 2006 Survey, http://secure.idg.com.au/images/cio/CSO_Security_Survey.pdf, viewed April 14, 2007

  31. Doe Run Company St. Louis, Missouri

  32. Company Information – Doe Run • International natural resource company • Mining, smelting, recycling and fabrication of metals • North America’s largest integrated lead producer and third largest total lead producer in the world • Also produces zinc, copper, gold and silver • Locations in Missouri, Washington, Arizona and Peru • 4,000 employees worldwide • 2 Billion in annual sales http://www.doerun.com/about/company.aspx, viewed March 13, 2007

  33. Company Information – Doe Run • Founded in 1864 when St. Joseph Lead Company purchased land known for its lead deposits in Southeast Missouri. • The Southeast Missouri location operates the mining and milling division and extracts around 70% of the primary lead supply in the US. • In 2003, 4.6 million tons of ore mined and milled at this location. http://www.doerun.com/about/company.aspx, viewed March 13, 2007

  34. Company Information – Doe Run • Began operating a smelter in Herculaneum, MO in 1892 and all smelting activities were consolidated there in 1920. • 24-hour smelter that extracts lead from ore received from the Southeast MO division. • In 2003, produced 146,746 tons of primary lead. • In 1997, more than doubled in size by acquiring refineries and smelters in La Oroya, Peru. http://www.doerun.com/about/company.aspx, viewed March 13, 2007

  35. Company Information – Doe Run • Later that year they also acquired copper mines in Corbiza, Peru and created Doe Run Peru. • In, 2003 the Corbiza copper mine produced 67,216 metric tons of copper concentrate. • From this copper concentrate, the La Oroya division produces 15,700 metric tons of metallic copper. • They now operate six mines, four mills, one primary smelter and one lead recycling plant. http://www.doerun.com/about/company.aspx, viewed March 13, 2007

  36. Chief Security Officer • Craig Williams • Reports to the CIO who reports directly to CEO • Directly responsible for all data and physical security in North and South America • Annual IT budget of $2.8 million with one-third allocated to IT security • 50 employees in the IT department with 4 dedicated to security Craig Williams, CISO, Doe Run Company Interviewed by phone by Carrie Weinkein, March 15, 2007

  37. Provisions for IT Security – Doe Run • Security policy and procedures manual • Employee security awareness training • Intrusion prevention and detection • Biometric technology for mobile computing Craig Williams, CISO, Doe Run Company Interviewed by phone by Carrie Weinkein, March 15, 2007

  38. Common Threats – Doe Run • Social Engineering • Phone Calls • Visits • Virus Attacks • Hackers • Moved website from in-house to hosted Craig Williams, CISO, Doe Run Company Interviewed by phone by Carrie Weinkein, March 15, 2007

  39. IT Security – Doe Run • Benefits • IT security has increased 75% since CSO position was created (one and a half years ago) • Have been able to get increased budget for IT security • Limitations • Not enough employees dedicated to IT security Craig Williams, CISO, Doe Run Company Interviewed by phone by Carrie Weinkein, March 15, 2007

  40. Future of IT Security – Doe Run • Implement data mining security and encryption • Security policy updates • Continue doing security assessments • Attack and penetration • Physical • Door access using biometric technology • Will be utilized in new top secret area • Adhere to National Security Advisory Standards Craig Williams, CISO, Doe Run Company Interviewed by phone by Carrie Weinkein, March 15, 2007

  41. Phishing

  42. Phishing • Online identity theft in which confidential information is obtained from an individual. • Direct phishing-related loss to US Banks and credit card issuers in 2003 was $1.2 billion • Indirect loss (customer service expenses, account replacement costs, increased expenses due to decreased use of online service) are much higher • Causes substantial hardship for victimized consumers, due to the difficulty of repairing credit damaged by fraudulent activity. ITTC Report on Online Identity Theft Technology and Countermeasures (Aaron Emigh) http://www.antiphising.org, viewed March 15, 2007

  43. Tricks used in Spoof Emails • “Spoofing” reputable companies • Creating a plausible premise (i.e. account information is outdated, credit card is expired, or account has been randomly selected for verification) • Requires a quick response • Collecting information in the email • Links to web sites that gather information • Using IP address Anatomy of a Phishing Email By Christine E. Drake, Jonathan J. Oliver, and Eugene J. Koontz MailFrontier, Inc., 2004

  44. Phishing Examples: US Bank Source: http://www.antiphishing.org, viewed March 27, 2007

  45. Phishing Examples: US Bank Source: http://www.antiphishing.org, viewed March 27, 2007

  46. Phishing Targeted Industry Source: Phishing Attack Trends Report – January 2007, Anti-Phishing Working Group, http://www.antiphishing.org, viewed March 27, 2007

  47. Phishing Reports Received by Anti-Phishing Working Group (APWG) Source: Phishing Attack Trends Report – January 2007 & January 2006, Anti-Phishing Working Group, http://www.antiphishing.org, viewed March 27, 2007

  48. Top 10 Phishing Sites Hosting Countries Source: Phishing Attack Trends Report – January 2007, Anti-Phishing Working Group, http://www.antiphishing.org, viewed March 27, 2007

  49. Anti-phishing Solution • Implement educational programs for employees and users regarding phishing attack • Strong authentication – use digital signatures for outgoing emails • Phishing responsive service – users can forward emails to company to validation whether it really comes from credible sources • Create international network of contacts in the legal, government and internet service provider communities to identify sources of phishing attacks, shut down website and phiser’s account Source: http://www.verisign.com/static/031240.pdf, viewed March 27, 2007

More Related